Arbitrary File Read

Affecting rendertron-middleware package, versions <0.1.3

medium severity

Overview

rendertron-middleware is an Express middleware for Rendertron.

Affected versions of this package are vulnerable to Arbitrary File Read. An alternative protocols such as file:// introduced a Local File Inclusion (LFI) bug where arbitrary files can be read by a remote attacker.

Remediation

Upgrade rendertron-middleware to version 0.1.3 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CVE
CVE-2017-18354
CWE
CWE-200
Snyk ID
SNYK-JS-RENDERTRONMIDDLEWARE-72701
Disclosed
17 Dec, 2018
Published
18 Dec, 2018